Certified Information Systems Auditor (CISA) — Question 172

Which of the following observations should be of GREATEST concern to an IS auditor performing an audit of an organization's social media practices?

Answer options

• A. Some employees have not received adequate training in the use of social media.
• B. The organization does not have a social media policy.
• C. Employees are using corporate devices to access mainstream social media websites.
• D. Employees are using corporate branding on personal social media postings.

Correct answer: B

Explanation

The absence of a social media policy (option B) is the most concerning issue because it indicates a lack of guidelines governing employee behavior online, which can lead to compliance and reputational risks. While inadequate training (option A) and the use of corporate devices (option C) are important, they can be addressed within the framework of a solid policy. Option D, while concerning, does not pose as significant a risk without a policy to govern social media practices.